A New Version of OpenSSH

11/26/2001

Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at the latest release of
OpenSSH version 3.0.1; buffer overflows in the HP-UX line printer
daemon, Berkeley's pmake, SuSE's ziptool, CDE Subprocess Control
Service Server, and Open UNIX and UnixWare's PPP Utilities; a minor
information leakage problem in OpenSSH and S/Key; and problems in Red
Hat's Stronghold, SuSE susehelp, and the Cyrus SASL library.

The latest release of OpenSSH version 3.0.1 supports SSH protocol
versions 1.3, 1.5, and 2.0, and includes support for sftp (both client
and server). It fixes a variety of bugs, including a security
vulnerability that can allow an unauthorized user to authenticate on
systems that have KerberosV enabled, a potential denial-of-service
vulnerability, and others.

The line printer daemon rlpdaemon that is distributed with HP-UX has a
buffer overflow that can be exploited by a remote attacker to gain
root permissions on the server. HP-UX versions 10.01, 10.10, 10.20,
11.00, and 11.11 are reported to be vulnerable. HP-UX ships with the
line printer daemon enabled by default.

Affected users should apply the appropriate patch and should consider
restricting access or firewalling the line printer daemon.
Administrators of systems not using the line printer daemon system
should consider disabling or removing the package.

Berkeley's pmake, a version of make that attempts to create programs
in parallel, is vulnerable to a buffer overflow and a format string
vulnerability. On systems where pmake is installed set user id root,
these vulnerabilities can be exploited by a local user to execute
arbitrary code with the permissions of the root user. Versions 2.1.33
and earlier have been reported to be vulnerable.

Users should watch for an updated version of pmake and should remove
the set user id bit until pmake has been repaired.

The ziptool application shipped with SuSE Linux has a buffer overflow
that can be used, under some circumstances, by a local attacker to
execute arbitrary code with root permissions. In order for this
attack to be carried out, a Zip drive must be configured and a Zip disk
must be inserted.

SuSE has updated the ziptool package and recommends that affected users
upgrade as soon as possible.

It has been reported that there is a buffer overflow in the CDE
Subprocess Control Service Server dtspcd that affects all Unix systems
using Common Desktop Environment (CDE). This buffer overflow can
be exploited remotely to execute arbitrary commands with the
permissions of the root user. The Subprocess Control Service Server
is started by default in all CDE installations, runs as root, and by
default will accept remote connections.

It is recommended that users contact their vendor for an update to the
CDE Subprocess Control Service Server. Users should also consider
limiting access to the CDE Subprocess Control Service Server by using a
firewall or a tool such as tcpwrappers.

It has been reported that there are several minor problems with
OpenSSH's implementation of the S/Key and OPIE one-time password
systems. These problems can be used by an attacker to gather
information about a system as part of an attack. The one-time
password systems send a challenge string that contains the hash
algorithm used, a seed value that changes when the user changes his
passphrase, and the number of the password (which can tell the
attacker how often and when a user logs in). The OpenSSH S/Key
implementation will only provide the challenge string when a user
exists and is using one-time passwords. It has been reported that
OpenSSH relies on the S/Key library to create fake challenges.

It is not clear if there are good solutions to these problems.
Systems that require the security of one-time passwords may also need
to limit what addresses can connect by using a firewall or by
configuring SSH to limit connections to authorized hosts.

Red Hat's Stronghold, a secure SSL Web server based on Apache, has a
vulnerability that can be used to disclose sensitive system files and
to gather information that can be used as part of an attack on the
system.

Two URLs (stronghold-info and stronghold-status) will return
information and should have access restrictions placed upon them.
Affected users should upgrade to Stronghold/3.0 build 3015 as soon as
possible.

The susehelp package is a collection of CGI scripts that provide a
help system to users. Vulnerabilities in the package can be exploited
by a remote user to execute arbitrary commands with the permissions of
the wwwrun-user user account. This vulnerability affects SuSE
versions 7.2 and 7.3.

Users should install the updated susehelp package available from SuSE.

The Cyrus SASL library has a format-string bug in one of its logging
functions that can be used remotely to execute arbitrary code. The
library is used to provide an authentication API for mail clients and
servers.

Users of the Cyrus SASL library should upgrade it to a repaired
version as soon as possible.

The PPP utilities supplied with Open UNIX 8.0.0 and UnixWare 7.1.0 and
7.1.1 have a buffer overflow in several utilities that link to
pppattach. These buffer overflows can be used by a local attacker to
gain root access.

Caldera recommends that affected users upgrade their PPP binaries and
that users who do not use PPP remove the set user id bit from
pppattach.